Feds Spark Boomlet for Risk Assessment Vendors

The U.S. government's push to utilize cloud-based technology will eventually lead to some blockbuster contracts -- many well over US$10 million and others for even more than $100 million. Consider that just one contract in the current batch -- a cloud deal for email services at the U.S. Interior Department -- carries a price tag of $35-million.

However, it may be some time before such contracts hit the headlines -- perhaps not until the end of 2012. The reason is that cloud providers will be required to meet the new security requirements being set by the federal government under the Federal Risk and Authorization Management Program, known as "FedRAMP."

Essentially the program is designed to help agencies meet the standards of the Federal Information Security Management Act (FISMA) by creating a "template" agencies can use multiple times for cloud configurations.

Cloud IT Enters Federal Mainstream

The program provides a standard approach to security in the federal cloud environment, enabling cloud service providers (CSPs) to be approved once and then provisioned government-wide, rather than having each agency assess security individually.

Under the program, CSPs must demonstrate that their information systems meet security requirements through an approved third-party assessment. Agencies will save time and money by avoiding the need to duplicate security protocols each time they develop a cloud project.

Eventually, the process should spur cloud adoption at the federal level. "FedRAMP is a clear signal that cloud computing has become main stream in the federal government. Federal agencies' demand for more powerful, lower-cost technology is stronger than ever," David Mihalhcik, head of Google Apps federal business development and sales, told the E-Commerce Times.

The program is being managed by the General Services Administration. In early June, GSA said it would begin accepting vendor applications for FedRAMP security approvals. As a result, cloud providers may have to wait until at least the end of 2012 to gain any additional cloud business from potential federal customers. GSA hopes to have a handful of FedRAMP provider approvals issued by then.

Opportunity for Risk Analysis Firms

However, a small group of IT service companies should begin to gain revenues from the FedRAMP program right away. These are the companies that will review and analyze the security status of cloud provider offerings. As part of the FedRAMP process, cloud vendors must have their security systems analyzed by an independent third-party assessment organization (3PAO). GSA so far has selected nine 3PAOs, and eight of them are IT business firms. The last is a unit of the Department of Transportation.

No government funds will be used for the 3PAO process. Instead, cloud providers must pay for the security reviews themselves, thus generating a tidy stream of revenue for the 3PAO companies offering FedRAMP risk analysis services.

None of the 3PAOs will actually be in the business of granting security approvals. Instead, they will forward their risk analysis of individual cloud provider offerings to a Joint Authorization Board (JAB) that consists of representatives from the Department of Homeland Security, GSA and the Department of Defense, which will issue approvals. The 3PAO firms will be required to use guidance from the National Institute of Standards and Technology in their security reviews of CSPs.

The federal Office of Management and Budget has estimated that the value of a single 3PAO analysis is around $200,000 on average. For more complex cloud configurations, the value could be much greater. The total potential market for 3PAOs will depend on the volume of federal cloud projects, but one federal estimate said that a fourth of the government's annual IT spending of $80 billion could eventually end up in a cloud configuration.

Business for the 3PAO companies appears to be brisk.

"Even before we were formally announced as a 3PAO, we had conversations about the process with some cloud providers. After the announcement, the number of calls skyrocketed," Todd Coen, vice president of the homeland security solutions division at
Dynamics Research Corporation (DRC), told the E-Commerce Times.

"Cloud service providers recognize that FedRAMP is a tremendous opportunity to rapidly expand their government services footprint, and they are planning to fully capitalize on it," he added.

"We have been approached by numerous cloud service providers already," Brian Pleffner, lab director for
COACT told the E-Commerce Times. COACT is another of the 3PAO companies.

The pace of business for 3PAOs should continue at a good clip for the rest of the year at least.

"CSPs who already have a footprint in the government market are the ones that will likely start the certification process first, because it affects their bottom line. I expect to see a steady ramp-up through the summer," said Coen.

Long-Term Business Potential

The opportunities for the 3PAO firms likely won't end with the first round of approvals. Two other elements of the program should ensure a solid and continuing revenue stream. One involves an annual checkup.

"FedRAMP requires an annual assessment of security controls by a 3PAO to maintain the FedRAMP provisional authority to operate," noted Coen.

In addition to the initial CSP approvals and the annual maintenance approvals, GSA will require CSPs to provide "continuous monitoring" of cloud security systems -- another potential revenue stream for 3PAOs. GSA said it would release specifics of the continuous monitoring program by early July.

"It is likely that additional annual requirements will be added to support continuous monitoring," said Coen.

"During the continuous monitoring phase, after a provisional authority to operate is granted, COACT will perform further independent verification and validation in support of continuous monitoring," Pleffner said.

It appears that the 3PAO firms are counting on gaining FedRAMP-related business for quite a while.

"As agencies build momentum with cloud adoption and get comfortable moving mission-critical applications into the cloud, market demand for technologies and services will continue to grow as new services are offered and new cloud service providers emerge," Coen said.

"FedRAMP is a large part of our business model for the future," said James McGehee, CEO of COACT. "We are excited to be embarking on our next strong line of business, and to be among the first accredited third-party assessment organizations."

John K. Higgins is a career business writer, with broad experience for a major publisher in a wide range of topics including energy, finance, environment and government policy. In his current freelance role, he reports mainly on government information technology issues for ECT News Network.